My first interview in the “Hosting+Security” category will be with Jim Walker of TVCNet.

I know Jim for quite some time. I met him in various forums where webmasters discuss security problems. A couple of months ago he started to advertise his malware removal service on my Unmask Parasites site. Before placing the ads, I did some background check and was impressed with their focus on security features and their looong list of signed testimonials.

To find out more about how a relatively small hosting provider can ensure security of their clients’ websites, I asked Jim to answer my questions and tell my blog readers about his company’s security practices.Q: Hello Jim. Could you briefly introduce yourself and your TVCNet hosting company?

A: Hi, I’m Jim Walker with TVCNet. I manage the sales and service side of our web hosting and hack repair business.

Q: First of all, let me tell you that I’m impressed with your list of testimonials. How long did it take to compile it?

A: Testimonials are from the past 10 years.

Q: As far as I can see, you mainly provide hosting services to small and medium websites. Their owners don’t usually have enough expertise to efficiently deal with all sorts of security problems. So they tend to completely rely on their hosting providers. What sort of protection can clients of TVCNet expect?

A: Security is our bread and butter. When we started the hosting business back in the late 90’s our model was and is to provide the best possible customer service and security for even our smallest shared hosting customers. We were one of the first web hosts to fully embrace the PCI compliance standard years ago, and that experience has helped us maintain our competitive edge in the secure web hosting services market. As a result, even our $3 a month clients are PCI compliant.

Q: Could you tell us in plain English what PCI compliancy is and why webmasters should care about it?

A: PCI compliance is required by many credit card companies in order to accept credit card payments through a website.

Q: One of your advertised security features is daily malware scans. Can you tell us more about it? How efficient it is in finding malware? What sort of problems does it detect and what happens when your scanner detects the problem?

A: In late 2009 we developed an internal malware scanning service to help client’s moving in from other web hosts who were being repeatedly hacked. We’ve since developed the program to zero in on known exploits and report them to our staff for review via email. Clients may likewise sign up to receive daily reports. If the report observes either a suspicious file or virus we contact client via email, often within minutes of the hack event.

Q: We’ve recently heard of many hacker attacks where multiple sites on the same server got hacked at the same time. Quite a few well-known hosting providers fell victims to such attacks. I believe, in some of such cases, the cause was in insufficient account and resource isolation coupled with loose file permissions. What does TVCNet do to minimize risks of attacks from compromised accounts on shared servers?

A: There are a lot of things a host can do to better prevent the type of mass hack events you describe. On our end, we follow some fairly strict security guidelines when setting up new servers and ensure all of our servers are regularly patched to meet the latest PCI security compliance standards. I can’t stress enough the importance of suPHP and daily malware scans.

One of the biggest disservices the industry promotes to hosting client’s today are the unlimited websites in a single account type packages. Yes, they do make hosting attractive to people looking to save money, but the security ramifications are extreme.

If you lump a dozen websites into the same file space and one of the dozen is hacked there is no stopping the hacker from simply hacking all of the websites in the same files space. That’s like locking only the front door in an office building… We do not promote that sort of service — it’s a shame many hosts in the industry have capitalized on this type of shared hosting arrangement.

Q: Outdated, vulnerable and improperly configured third-party web software is one of the major sources of website hacks. As I can see, you allow your clients to install third-party applications. WordPress with thousands of plugins, Joomla, osCommerce, etc. How do you deal with their never-ending security issues?

A: That is a good question. A host can’t realistically prevent their clients from installing website scripts. What a webhost can do though is run periodic scans to alert clients of outdated scripts or malware installed within their account. We do this as a free service to our customers.

Q: How do you deal with attacks that use stolen FTP credentials of your clients? Do you have FTP security guidelines or best practices for your clients? I think that hosting providers should always warn webmasters that saving passwords in FTP clients is a dangerous practice (especially on Windows computers), and that insecure FTP protocol can only be used on clean computers on trusted networks, and only if SFTP is not available for some reason (Your hosting plans support SFTP, don’t they?)

A: This is a tough nut to crack for a web host. On the one hand you want to offer as much access and as many options as possible to your clients. On the other you can’t force people to be more secure or change their habits. We do promote SFTP and offer SSH to clients. We likewise periodically remind clients to use the more secure options available, and have implemented some password update protocols to remind people to change their passwords, etc.

That said, in today’s market you can’t force security focus on anyone. But we do try our best to educate our clients on the latest security practices.

Q: By the way, what about SSH? It’s a powerful tool in hands of experienced webmasters, but some hosting providers consider it as potentially dangerous. Your hosting plans include SSH. Could you elaborate on your this?

A: Secure Shell (SSH) is an essential service for many advanced webmasters. We do our best to ensure our customers are given as many options as possible to help ensure their success. I agree SSH has a pretty bad reputation in the industry. As long as a web host restricts access in such a way as to prevent direct SSH to a web server most reported vulnerability issues can be avoided. Without going into detail in regard to how our customers may use SSH securely suffice it to say we’ve locked down the service considerably.

Q: In my experience, hosts that don’t provide SSH to their [Linux] clients only make webmasters’ life more difficult while hackers just upload so called web shells and don’t miss SSH that much. Can your malware scanner detect such shells?

A: Yes. This is why external scans are less reliable then root level malware scans. The image below shows a partial malware report sent to a client who’s website was compromised in this way. In this particular case, the moment we noticed the shell scripts during one of our daily scans we immediately deleted the malicious scripts and alerted client respectively.

Q: Now let’s talk about what happens if your clients have security problems. They see anti-virus alerts, or Google’s Safe Browsing warnings, or maybe found spammy hidden links in their web pages. What should they do?

A: If a client contacts us regarding a hack situation, which is very rare because we virtually always know before the client does, is to first run a malware scan on their site, review the hacks and provide tips on how they may clean up their site.

Because we maintain daily and weekly backups, more often than not we just recover the client’s website from backup within a few minutes of their request. On average, if a client calls and says their website is hacked we’ll have it un-hacked within 30 minutes (at no extra cost).

Q: What if your clients complain that their website has been blacklisted by Google, but your inspection shows the warning is caused by a widget or an ad from a compromised third-party site. Technically, the website hasn’t been hacked. Can your clients expect your help in this case?

A: Yes. If one of our customers asks us to review their site for hacks, or assist in helping to resolve the situation we generally try to do so at no additional cost.

Q: I know that you also provide a malware removal service – HackRepair. So, where is the border between services that you provide to TVCNet clients for free and the services that require additional payment?

A: Only difference is that if client wishes to receive a daily report it costs just $3 a month. Otherwise, we review the reports internally for all servers every morning and contact clients with hacked content same day (at no extra charge).

Q: By the way, in your experience, what is the most prevalent type of hack and what webmaster can do to prevent it?

A: Most prevalent type of hack involves clients not maintaining the latest installations of wordrpess or joomla. Hackers just love this [sort of] sites because versions more than six months old are so easily hacked.

Q: Finally, what if some webmaster gets disappointed with his/her current hosting provider and decides to give TVCNet a try? Moving websites can be pretty troublesome and involve significant downtime.

A: Free website moves are included with all of our service packages. We’ve developed a number of procedures to help reduce downtime during service moves. Most client’s do not experience downtime during their moves. The process can actually be quite low stress when done in a step by step manner.

Thank you for taking your time to answer my questions and tell us about security practices at TVCNet.

Afterword

I hope, this interview was informative. I tried to ask questions that cover various types of security issues to hosting providers have to address (and webmasters hope that they address them well.)

This was not a promotional article and I encourage you to take it with a grain of salt. If you want to ask Jim more questions or share your concerns with us, you can do it in comments.

If you want to tell us about interesting security approaches of your hosting company or know a company that should be covered in the “Hosting+Security” category, don’t hesitate to contact me either here in comments or directly via a contact form.

Reader's Comments (3)

[…] This post was mentioned on Twitter by Denis and Cliff Torrence, Greg Plummer. Greg Plummer said: PCI Compliance News: Can Security Be Bread and Butter of a Hosting Provider? | Unmask …: We were one of the fi… http://bit.ly/gv5rlS […]

Any webhost who does not turn off FTP Clear Text Authentication on all web servers today is no longer PCI compliant.

I mean I know most web hosts don’t care about security or PCI compliance, but this is one of the most explosive events to occur on the Internet in over a decade.

If you haven’t heard, as of May 31st, any web host who still provides FTP with clear text authentication to their customers is no longer PCI compliant.

I mean this is the game changer which everyone is afraid to talk about (apparently), because it radically separates the security conscious web hosts from the “we don’t care about PCI compliance or our client’s security” web hosts.

I’m completed blown away as to how this hasn’t been the top story in Wired and other news outlets.

Pretty amazing actually, since it appears TVCNet is one of only a literal handful of shared web hosts in the entire world who remain PCI compliant as June 2011.